CreedSolicitors

Failure to Prevent Fraud: What Businesses, both Big and Small, Need to Know

A new corporate criminal offence Failure to Prevent Fraud (“FtPF”) will come into force on 1 September 2025. It will be set out in Section 199 of the Economic Crime and Corporate Transparency Act (“ECCTA”)2023.

Background to the FtPF Offence:

This offence applies to “large organisations” and small organisations that are subsidiaries of large organisations.

Large organisations, as set out in Section 201 ECCTA, are those satisfying two or more of the following conditions:

  • more than 250 employees;
  • more than GBP36 million turnover (this includes groups where the resources across the group meet the threshold); and/or
  • more than GBP18 million in total assets.

The large organisation will be held criminally liable where an “associated person” commits a base fraud offence (as set out in Schedule 13 of the ECCTA), during its financial year, intending to benefit, either directly or indirectly, the large organisation itself or their client and the organisation did not have reasonable fraud prevention procedures in place.

An associated person, as set out in Section 199(7) ECCTA, includes:

  • an employee or agent or subsidiary undertaking of the large organisation; or
  • third parties, including small organisations, which provide services for or on behalf of the large organisation.

Please note that there are two ways in which fraud committed by a subsidiary’s employee may fall in the scope of the offence: 

  • If an employee of a subsidiary of a large organisation (where that subsidiary is not itself a large organisation) commits a fraud that is intended to benefit the subsidiary, the subsidiary may be prosecuted.
  • If the employee of a subsidiary of a parent company that is a large organisation commits a fraud that is intended to benefit the parent company, that parent company may be prosecuted.


UK Nexus:

This offence has extraterritorial reach, meaning that non-UK companies may be liable for the fraud if there is a “UK nexus”. A UK nexus means that the fraud took place in the UK or the gain or loss occurred in the UK (section 199(10), ECCTA).

Scenarios:

  • If an employee or associated person of an overseas-based organisation commits fraud in the UK, or is targeting victims in the UK, the large organisation could be prosecuted;
  • if a UK-based employee commits fraud, the employing organisation could be prosecuted, regardless of where the organisation is based; or
  • The offence could be committed by persons outside the UK such as non-UK branches if the fraud offence had a UK nexus, regardless of whether or not that non-UK office has a UK branch or subsidiary.

Defence to the offence (Section 199(4) ECCTA):

The organisation can defend itself by:

  • proving it had reasonable fraud prevention procedures in place; or (more riskily)
  • proving that it was unreasonable to expect them to put such prevention procedures in place.

To determine whether an organisation had reasonable procedures in place to prevent fraud, the court will assess six core principles. These principles align closely with those already familiar to compliance professionals under the UK Bribery Act 2010 and the Criminal Finances Act 2017. However, it is important to note that the UK government’s guidance explicitly states that steps taken to comply with other legislative or regulatory requirements may not, on their own, be sufficient to establish a defence against a FtPF charge.

The Six Principles

  1. Top-Level Commitment (Section 3.1 ECCTA)
    • Senior leadership must actively endorse a strong anti-fraud culture through clear communication, robust governance, training and resourcing.  
  2. Fraud Risk Assessment (Section 3.2 ECCTA)
    • Organisations must regularly identify, assess and document the risk of an associated person committing fraud. One way of doing this is ensuring its risk assessment has input from key risk owners in the organisation. Note that failure to conduct a risk assessment will rarely be considered reasonable by the court.
  3. Proportionate Procedures (Section 3.3 ECCTA)
    • Fraud prevention measures must be tailored to the nature, scale, complexity, and risk profile of the business. Creating a fraud prevention plan, with procedures to prevent fraud being proportionate to the risk identified in the risk assessment would be a good starting point.
  4. Due Diligence (Section 3.4 ECCTA)
    • Screening of third parties, partners, and transactions must consider fraud risk, especially in higher-risk activities.
  5. Communication and Training (Section 3.5 ECCTA)
    • Clear policies must be rolled out throughout the organisation and supported by continuous targeted training, especially for those in the highest risk posts. Indeed, the Government’s impact assessment suggested that large organisations should expect to deploy a team to focus on FtPF.
  6. Monitoring and Review (Section 3.6 ECCTA)
    • Continuous monitoring, reviews and improvements to fraud detection and prevention procedures are essential. This includes learning from audits, whistleblowing incidents and using data and advice from sector-specific guidance, legal, or regulatory bodies, including past and future comments or prosecution priorities that may come from the Serious Fraud Office or Crown Prosecution Service to review prevention procedures.

Note: Compliance with these principles and the UK government’s guidance is not a guaranteed “safe harbour”.

Next steps

  1. Assess Applicability – Determine whether your organisation meets the criteria to fall within the scope of the ECCTA’s FtPF offence.
  2. Identify Associated Persons – Map out individuals and entities who qualify as “associated persons,” including employees, agents, subsidiaries, and third-party service providers.
  3. Conduct a Fraud Risk Assessment – Carry out and document a thorough fraud risk assessment to evaluate whether current internal controls effectively mitigate potential fraud risks.
  4. Strengthen Due Diligence – Ensure that due diligence procedures, particularly in high-risk areas such as third-party relationships and commercial transactions, address fraud risks appropriately.
  5. Review and Update Policies – Evaluate and, where necessary, revise existing anti-fraud policies and procedures to ensure they are robust and up to date.
  6. Communicate and Train – Clearly communicate your organisation’s fraud prevention expectations and deliver targeted training to employees, subsidiaries, and relevant business partners.
  7. Implement Monitoring and Audit Protocols – Establish ongoing fraud monitoring and audit mechanisms, especially in relation to third-party engagements, to ensure continuous oversight.
Final Thoughts

The new FtPF offence represents one of the most significant developments in corporate criminal law in recent decades. With its implementation set for 1 September 2025 and potential prosecutions from Autumn 2025 onward, large organisations must act without delay to assess and strengthen their anti-fraud frameworks in line with the statutory guidance. Smaller businesses, too, should evaluate how their relationships with large organisations may expose them to risk under the new regime.

If you would like to understand how the FtPF offence may affect your organisation – and how best to prepare – please contact our team for tailored legal advice.

Date Published

02/06/2025

Author

Arianna Sophia McBurney

Arianna Sophia McBurney

Location

United Kingdom

Do you want help with your legal documentation?

Book your free initial 30 minute consultation with Richard Creed:

Book your free 30 minute video consultation

Copyright 2025

Creed Solicitors is the trading name of Creed Solicitors Limited, a company registered in Northern Ireland with Company Number NI633327. Our registered office is: 255A Upper Newtownards Road, Belfast, BT4 3JF. Creed Solicitors is authorised and regulated by the Law Society of Northern Ireland.

Privacy Policy

Terms of Use

Cookie Policy